Threat Description

Caligula

Details

Category: Malware
Type: Virus
Platform: W97M
Aliases: Caligula

Summary


W97M/Caligula is a Word macro virus that tries to attack against the popular PGP (Pretty Good Privacy) encryption program.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The virus spreads by keeping it's code in a file called c:\io.vxd.

The summary information of infected documents is changed to this:

     Title:    WM97/Caligula Infection         Subject:  A Study In Espionage Enabled Viruses         Author:   Opic         Keywords: / Caligula / Opic / Codebreakers /         Comments: The Best Security Is Knowing The Other       Guy Hasn't Got Any  

The virus hooks the Tools/Macro, Tools/Customize, View/Toolbar and View/statusbar menus. The Tools/Macro menu is greyed out and can't be accessed.

On 31st of each month the virus shows a dialog with this message:

     WM97/Caligula (c) Opic [CodeBreakers 1998]        No cia,         No nsa,         No satellite,         Could map our veins.  

The really nasty part of the virus is related to PGP: the virus locates the secret keyring file of PGP (SECRING.SKR) and tries to send it with FTP to a site in the codebreakers.org domain (which is known virus exchange site). To send the key the virus creates temporary file called c:\cdbrk.vxd.

If the attacker can break the passphrase, he can then open PGP encrypted files sent to this user.

This is quite serious as passphrases are the weakest known link today in public key cryptography such as PGP. Also, people very commonly use too weak passphrases. With a copy of the keyring, massive brute-force attacks are possible for any period of time - and the user may not even know if a copy has been made of the keyring.





Technical Details:Katrin Tocheva, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More